Presentation is loading. Please wait.

Presentation is loading. Please wait.

PASIS: Perpetually Available and Secure Information Systems Greg Ganger, Pradeep Khosla, Chenxi Wang, Mehmet Bakkaloglu,

Similar presentations


Presentation on theme: "PASIS: Perpetually Available and Secure Information Systems Greg Ganger, Pradeep Khosla, Chenxi Wang, Mehmet Bakkaloglu,"— Presentation transcript:

1 PASIS: Perpetually Available and Secure Information Systems Greg Ganger, Pradeep Khosla, Chenxi Wang, Mehmet Bakkaloglu, Michael Bigrigg, Garth Goodson, Semih Oguz, Vijay Pandurangan, Craig Soules, John Strunk, Ken Tew, Cory Williams, Ted Wong, Jay Wylie Carnegie Mellon University

2 Greg Ganger January 2002http://www.pdl.cmu.edu/2 Create information storage systems that are Perpetually Available Information should always be available even when some system components are down or unavailable Perpetually Secure Information integrity and confidentiality should always be enforced even when some system components are compromised Graceful in degradation Information access functionality and performance should degrade gracefully as system components fail Assumptions – Some components will fail, some components will be compromised, some components will be inconsistent, BUT………. surviving components allow the information storage system to survive PASIS Objective

3 Greg Ganger January 2002http://www.pdl.cmu.edu/3  Surviving “server-side” intrusions  decentralization + data distribution schemes  provides for availability and security of storage  Surviving “client-side” intrusions  server-side data versioning and request auditing  enables intrusion diagnosis and recovery  Tradeoff management balances availability, security, and performance  maximize performance given other two Survivable Storage Systems

4 Greg Ganger January 2002http://www.pdl.cmu.edu/4 Self-Securing Storage Storage that protects itself prevents destruction of stored data prevents undetectable modifications looks for suspicious storage activity Effective tool for intrusion survival Detection: watches storage events and triggers alarms Diagnosis: provides info for administrators to analyze Recovery: provides complete history of data versions

5 Greg Ganger January 2002http://www.pdl.cmu.edu/5 Step #1: Additional Security Perimeter File System Application Host Operating System System Calls Storage Requests Insecure RPC or Device Driver RPC or Device Driver Storage protected by device Secure New security perimeter S4S4  Exploit storage device properties – Establish security perimeter around the device

6 Greg Ganger January 2002http://www.pdl.cmu.edu/6 Step #2: Internal Versioning & Auditing File 1 File 2 File (n-1) File n History pool 9/7/99 9:37:05 9/4/99 7:28:11... time

7 Greg Ganger January 2002http://www.pdl.cmu.edu/7 Step #2: Internal Versioning & Auditing File 1 File 2 File (n-1) File n Detection Window Expired versions History pool 9/7/99 9:37:05 9/4/99 7:28:11... time

8 Greg Ganger January 2002http://www.pdl.cmu.edu/8 Step #2: Internal Versioning & Auditing File 1 File 2 File (n-1) File n Detection Window Expired versions History pool 9/7/99 9:37:05 9/4/99 7:28:11... time  Storage device logs all requests –Audit log is externally read-only

9 Greg Ganger January 2002http://www.pdl.cmu.edu/9 Feasibility Evaluation (OSDI’00) Capacity requirements Question: Are large detection windows feasible? Conclusion: Weeks or months are possible Performance overheads Question: Are performance costs too high? Conclusion: Performance overhead is small … (<)<15% cost for versioning and auditing

10 Greg Ganger January 2002http://www.pdl.cmu.edu/10 Benefits of Self-Securing Storage Storage-based intrusion detection A new opportunity (and viewpoint) to observe Informed analysis of security compromises Log tampering is visible and recoverable Capture exploit tools stored on the target Faster, better recovery Earlier states still in history pool Legitimate changes still present in history pool also, recovery from accidental deletion

11 Greg Ganger January 2002http://www.pdl.cmu.edu/11 Storage-based Intrusion Detection Standard goal: Detect suspicious activity New opportunities to observe: 1.Changes to static files sshd, /bin/login, shell programs, config. files, etc. 2.Unexpected patterns of changes non-append changes to audit log, etc. 3.Corruption of well-understood files /etc/passwd, /var/log/wtmp, etc. 4.Suspicious content known viruses, hidden files or directories, etc.

12 Greg Ganger January 2002http://www.pdl.cmu.edu/12 for comparison... Stronger than current storage-related IDSs e.g., Tripwire or virus scanners These periodically run on host and compare filesystem state to reference database or known viruses Stronger because detection checks can be in real time they can’t be turned off in compromised host system they can’t be spoofed or filtered by intermediary they do not rely on reference database

13 Greg Ganger January 2002http://www.pdl.cmu.edu/13 Post-Intrusion Diagnosis Goal: Determine what/when it happened Self-securing storage informs key questions When did the intrusion happen? needed for recovery How did they get in? including capture of exploit tools for analysis What files were read, written, and seen tainted? damage estimation

14 Greg Ganger January 2002http://www.pdl.cmu.edu/14 For comparison: Conventional Diagnosis

15 Greg Ganger January 2002http://www.pdl.cmu.edu/15 Hardcore Conventional Diagnosis BIG forensics effort required before analysis discovering deleted evidence from deleted inodes unallocated blocks slack space in the final block of files problems that this causes incomplete info is difficult to analyze most evidence is completely gone Self-securing storage puts focus on analysis all storage actions and states are preserved

16 Greg Ganger January 2002http://www.pdl.cmu.edu/16 Post-Intrusion Recovery Conventional systemsSelf-securing storage Save user data— Wipe system— Reinstall OSReboot w/ safe image Restore from tapeCopy forward system state Validate user data Restore user data

17 Greg Ganger January 2002http://www.pdl.cmu.edu/17 Post-Intrusion Recovery Conventional systemsSelf-securing storage Save user data— Wipe system— Reinstall OSReboot w/ safe image Restore from tapeCopy forward system state Validate user data Restore user data

18 Greg Ganger January 2002http://www.pdl.cmu.edu/18 Restore pre-intrusion versions rapidly Conventional systemsSelf-securing storage Save user data— Wipe system— Reinstall OSReboot w/ safe image Restore from tapeCopy forward system state Validate user data Restore user data Restoring pre-intrusion state

19 Greg Ganger January 2002http://www.pdl.cmu.edu/19 Copy-forward users’ work carefully Conventional systemsSelf-securing storage Save user data— Wipe system— Reinstall OSReboot w/ safe image Restore from tapeCopy forward system state Validate user data Restore user data Restoring users’ work

20 Greg Ganger January 2002http://www.pdl.cmu.edu/20 Summary of self-securing storage Protect stored data and audit storage accesses even if client OS is compromised Can save and observe anything inside device retain all versions of all data collect audit log of all requests watch storage events and trigger alarms Self-securing storage enables: storage-based intrusion detection Informed analysis of security compromises faster, better recovery

21 Greg Ganger January 2002http://www.pdl.cmu.edu/21 Client Apps Local PASIS Agent PASIS Storage Nodes Tradeoff Management Multi-read/write Communication Encode & Decode Client Applications PASIS Storage Nodes System Characteristics User Preferences PASIS Agent Architecture

22 Greg Ganger January 2002http://www.pdl.cmu.edu/22 Trade-off space Scheme Selection Surface

23 Greg Ganger January 2002http://www.pdl.cmu.edu/23  Decentralization + data distribution schemes  provides for availability and security of storage  Tradeoff management balances availability, security, and performance  … and it is good engineering practice!  Data versioning to survive malicious users  enables intrusion diagnosis and recovery PASIS: Summary

24 For more information: Director, Parallel Data Lab


Download ppt "PASIS: Perpetually Available and Secure Information Systems Greg Ganger, Pradeep Khosla, Chenxi Wang, Mehmet Bakkaloglu,"

Similar presentations


Ads by Google